Virtual Private Networks

What is the Requirement for VPN?

There are many potential threats to a Network, specifically when exposed over Internet. Often times these
threats are perceived as external, whereby some outside entity (i.e. a hacker or cracker) attempts to break-in
to a network to steal data or read confidential information with an organizations business operations. While
these external entities pose a significant threat to network security, more frequently internal entities pose a
far greater threat and typically are not addressed by network security defence mechanisms.

Network Vulnerabilities-
All the perimeter defence mechanisms in the world will not protect your network from an internal user who
either intentionally or inadvertently deletes important corporate data files. Many network administrators
focus solely on external threats to the exclusion of security policies that should mandate network access and
usage rules for internal users. So, all network security initiatives should begin with identifying the critical
network resources with relevant and appropriate user access rights. Thus, security products and protocols
should only be employed to enforce an overall Network Security policy. The key point is that a network
security policy must be applied for both internal and external users.
Types:
Loss Of Privacy
Data Theft
Impersonation
Loss Of Integrity

Data Security Assurance-

The total data security assurance can only be achieved through a comprehensive strategy that addresses each
type of network threat.
To counteract the problem of Loss of Privacy and Data Theft we must employ security protocols
that provide Confidentiality for sensitive information as it travels across the un-trusted or public
network. Protocols that provide confidentiality typically employ encryption techniques that scramble
data in a way that is not exposed to those who are on an un-trusted or public network.
To counteract the problem of Loss of Integrity, whereby an external entity may not be able to see
the data content but still alter it, we must employ security protocols that validate the Integrity of
information travelling across an un-trusted or public network. Such protocols are called hashing
algorithms and generate a finger-print, so to speak, unique to the data content. Hashing algorithms
does not prevent alteration of data, however allow the communicating parties to detect when
alteration occurs, if any.
Finally, to counteract problems associated with Impersonation we must employ Authentication
protocols that both validate and guarantee the identity of communicating parties. Authentication
protocols are implemented in many forms such as digital signatures, digital certificates or pre-shared
keys.
So, the key point to remember is that effective data security assurance, from a protocol perspective, requires
methods for ensuring data confidentiality, integrity, and authentication.
IPSEC Overview-
A consolidated solution to the above discussed network vulnerabilities is IPSEC.
IPSEC is a set of security protocols and algorithms used to secure IP data at the network layer. IPsec provides
data confidentiality (encryption), integrity (hash), authentication (signature/certificates) of IP packets while
maintaining the ability to route them through existing IP networks or internet.
IPsec stands for Internet Protocol Security. As the name implies, it is only specified to work with
the TCP/IP communications protocol. IPsec does not directly work with other communications
protocols such as IPX, AppleTalk, etc. IPsec can only be made to support non-TCP/IP protocols if
they are encapsulated as IP packets. However, because TCP/IP has become the standard for
network-layer communications this limitation imposes no real obstacle to employing
comprehensive network data security assurance; particularly the Internet, is entirely founded on
TCP/IP protocol.
IPSec can best be described as an umbrella standard for specific network security protocols. IPSec is
initially defined in RFCs 1825 through 1828.IPSec combines several constituent protocols to secure
IP data at the network layer. IPSec includes specific encryption protocols to provide data
confidentiality, hashing protocols to provide data integrity and signature, certificate and key
protocols to provide data authentication. Additionally, since IPSec employs these protocols outside
of the IP header IP packets can be routed normally through existing IP networks. This creates a
degree of transparency whereby intermediate routing devices neither necessarily have knowledge
of nor are affected by the underlying IPsec protocols.

Virtual Private Network-

A Virtual Private Network (VPN) is a technology that creates an encrypted channel over a less secure network
VPN ensures that the appropriate level of security is provided to the end hosts while exchanging the
information.
VPN works on the concept of IPsec and ensures that the Confidentiality, Integrity and Authenticity of the data
flow is maintained.
VPN is always setup between two or multiple parties. There are couple of ways to deploy the VPN between
the parties.
Types of VPN-
VPNs are broadly classified under Ipsec and SSL VPNs. But they are further classified as mentioned below:
1. IPsec VPN
 IPsec VPNs are classified on the basis of connectivity of the remote end. If the remote end is a static site then
it is referred as Site to site vpn or peer to peer vpn. If the remote site is dynamic then it is referred as Remote
access VPN.
Site-To-Site VPN:
A site-to-site VPN allows two or multiple parties with fixed locations to establish secure connections with each
other over a public network such as the Internet. Site-to-site VPN can extend the company's network, making
computer resources from one location available to employees at other locations. It can also be used for
connecting a company with another company offices. The following network devices are used for setting up
the site-to-site VPN:
Firewall to Firewall
Firewall to Router(L3)
Router(L3) to Router(L3)
Router to Firewall

Remote-Access VPN:
Remote-Access VPNs allow secure access to corporate resources by establishing an encrypted tunnel across
the Internet. The ubiquity of the Internet, combined with today's VPN technologies, allows organizations to
cost-effectively and securely extend the reach of their networks to anyone, anyplace, anytime. These VPNs are
established using pre-installed VPN client software on the user desktop, thus focusing it primarily on company-
managed desktops/laptops. Following are the reasons for this logical connection as below:
Provides secure communications with access rights tailored to individual users, such as employees,
contractors, or partners
Enhances productivity by extending corporate network and applications
Reduces communications costs and increases flexibility

2. VPN or SSL VPN-Secure Socket Layer

SSL VPN Clientless-

SSL Clientless access requires no specialized VPN software on the user desktop. All VPN traffic is transmitted
and delivered through a standard Web browser; no other software is required or downloaded. Since all
applications and network resources are accessed through a Web browser, only Web-enabled and some client-
server applications-such as intranets, applications with Web interfaces, e-mail, calendaring, and file servers-
can be accessed using a clientless connection. This limited access, however, is often a perfect fit for business
partners or contractors who should only have access to a very limited set of resources on the organization's
network. Furthermore, delivering all connectivity through a Web browser eliminates provisioning and support
issues since no special-purpose VPN software has to be delivered to the user desktop.
 SSL VPN Full Network Access-
SSL VPN full network access enables access to any application, server, or resource available on the network.
Full network access is delivered through a lightweight VPN client that is dynamically downloaded to the user
desktop (through a Web browser connection) upon connection to the SSL VPN gateway. This VPN client,
because it is dynamically downloaded and updated without any manual software distribution or interaction
from the end user, requires little or no desktop support by IT organizations, thereby minimizing deployment
and operations costs. Like clientless access, full network access offers full access control customization based
on the access privileges of the end user. Full network access is a natural choice for employees who need
remote access to the same applications and network resources they use when in the office or for any client-
server application that cannot be delivered across a Web-based clientless connection.
The most commonly used SSL VPN box is Juniper SSL box in the SA series. This is because of the versatility,
features, user friendly and easily manageable GUI.

With the latest trend, SSL VPN box is now getting upgrade to Pulse Secure Appliance Series (PSA and MAG).
Below image shows the network appliance for both the Juniper and Pulse.

The following tables shows the new features introduced in PSA appliances and their benefits.
Key features of PSA and benefits over SA series appliances-

Access Privilege Benefits of PSA-

Flexible SS0 features capabilities of PSA-

Comparing IPsec and SSL VPN Technologies-

The following table depicts the differences between the IPsec and SSL VPN:

Factors Characteristics
Application and SSL (using full network access) and IPsec VPNs offer broad access to
Network Resource virtually any application or network resource
Access
End-User Access SSL VPNs are initiated using a Web browser
Method
IPsec VPNs are initiated using pre-installed VPN client software

End-User Access SSL VPN enables access from company-managed, employee-owned,

Device Options contractor and business partner desktops, as well as Internet kiosks

IPsec VPN enables access primarily from company-managed laptops

Desktop Software Only a Web browser is required for SSL VPN

Requirements
IPsec VPN requires proprietary pre-installed client software
Desktop Software Basic SSL VPN access can operate without any special-purpose
Updates desktop/laptop software, thus no updates are required. Full network
application access is provided using software that automatically installs
and updates without any user knowledge or intervention.

IPsec VPNs can automatically update, but is more intrusive and requires
user input

Customized User SSL VPNs offer granular access policies to define what network resources
Access a user has access to, as well as user-customized Web portals

IPsec offers granular access policies, but no Web portals

Authentication IPsec uses digital certificates or pre shared secrets for two-way
authentication.

SSL Web servers always authenticate with digital certificates. Additional

security can be provided using the multi factor authentication.

SSLVPNs provides the per-user, per-application access control

Access Control IPsec VPNs provides the trusted user groups homogenous access to
entire private servers and subnets. Additionally, the access can be per
user, , per application based.
While deploying the IPsec or SSL VPN, the system must be protected with
the client security measures, such as system firewalls, malware scanning,
Client Security
intrusion prevention, OS authentication and file encryption.
IPsec VPN clients include integrated desktop security products to restrict
access to systems that conform to organizational security policies. For
example, Checkpoint VPN-1 is integrated with Pest Patrol, and Watch
Guard Mobile User VPN with Zone Labs Zone Alarm. SSL VPN clients
solely depend upon the system security measures.
Choosing a Right VPN Technology-
The following table depicts the use case scenarios and the best fit VPN applicable:

Scenarios SSL VPN IPsec

VPN
"Anywhere" Access from Non-Company-Managed Devices, such as Employee- X
Owned Desktops and Internet Kiosks
Business Partner Access X
User-Customized Access Portals X
Minimized Desktop Support and Software Distribution X
Greatest Flexibility to the End-Users X X
Greatest VPN Client Customizability X
Ability to Maintain Existing IT Deployment and Support Processes X

References-
http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-
firewalls/prod_white_paper0900aecd804fb79a.html

Authored by - Megha Goyal

TCS Enterprise Security and Risk Management